redirect org users to org dashboard (#2482)

* redirect user to org dashboard on login based on the first org they are determined to be a part of, if they are a part of one

* fix test

* [pre-commit.ci] auto fixes from pre-commit.com hooks

for more information, see https://pre-commit.ci

* only redirect to org dashboard on first login, and always skip onboarding for org users

* redirect using APP_BASE_URL

* remove org keycloak scope from default env and add a note about enabling it

* fix tests, use settings fixture in authentication views tests

---------

Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>

Author: gumaerc

authentication/views.py

@@ -1,14 +1,16 @@
 """Authentication views"""
 
 import logging
+from urllib.parse import urljoin
 
 from django.contrib.auth import logout
 from django.shortcuts import redirect
 from django.utils.http import url_has_allowed_host_and_scheme, urlencode
+from django.utils.text import slugify
 from django.views import View
 
 from main import settings
-from main.middleware.apisix_user import ApisixUserMiddleware
+from main.middleware.apisix_user import ApisixUserMiddleware, decode_apisix_headers
 
 log = logging.getLogger(__name__)
 
@@ -64,6 +66,8 @@ class CustomLoginView(View):
     Redirect the user to the appropriate url after login
     """
 
+    header = "HTTP_X_USERINFO"
+
     def get(
         self,
         request,
@@ -76,15 +80,42 @@ def get(
         redirect_url = get_redirect_url(request)
         if not request.user.is_anonymous:
             profile = request.user.profile
-            if not profile.has_logged_in:
-                profile.has_logged_in = True
-                profile.save()
-            if (
+
+            apisix_header = decode_apisix_headers(request, self.header)
+
+            # Check if user belongs to any organizations
+            user_organizations = (
+                apisix_header.get("organizations", {}) if apisix_header else {}
+            )
+
+            if user_organizations:
+                # First-time login for org user: redirect to org dashboard
+                if not profile.has_logged_in:
+                    first_org_name = next(iter(user_organizations.keys()))
+                    org_slug = slugify(first_org_name)
+
+                    log.info(
+                        "User %s belongs to organization: %s (slug: %s)",
+                        request.user.email,
+                        first_org_name,
+                        org_slug,
+                    )
+
+                    redirect_url = urljoin(
+                        settings.APP_BASE_URL, f"/dashboard/organization/{org_slug}"
+                    )
+            # Non-organization users: apply onboarding logic
+            elif (
                 not profile.completed_onboarding
                 and request.GET.get("skip_onboarding", "0") == "0"
             ):
                 params = urlencode({"next": redirect_url})
                 redirect_url = f"{settings.MITOL_NEW_USER_LOGIN_URL}?{params}"
                 profile.completed_onboarding = True
                 profile.save()
+
+            if not profile.has_logged_in:
+                profile.has_logged_in = True
+                profile.save()
+
         return redirect(redirect_url)

authentication/views_test.py

@@ -3,9 +3,9 @@
 import json
 from base64 import b64encode
 from unittest.mock import MagicMock
+from urllib.parse import urljoin
 
 import pytest
-from django.conf import settings
 from django.test import RequestFactory
 from django.urls import reverse
 
@@ -28,10 +28,18 @@ def test_custom_login(mocker, next_url, allowed):
     assert get_redirect_url(mock_request) == (next_url if allowed else "/app")
 
 
-@pytest.mark.parametrize("has_apisix_header", [True, False])
-@pytest.mark.parametrize("next_url", ["/search", None])
-def test_logout(mocker, next_url, client, user, has_apisix_header):
+@pytest.mark.parametrize(
+    "test_params",
+    [
+        (True, "/search"),
+        (True, None),
+        (False, "/search"),
+        (False, None),
+    ],
+)
+def test_logout(mocker, client, user, test_params, settings):
     """User should be properly redirected and logged out"""
+    has_apisix_header, next_url = test_params
     header_str = b64encode(
         json.dumps(
             {
@@ -55,10 +63,10 @@ def test_logout(mocker, next_url, client, user, has_apisix_header):
     mock_logout.assert_called_once()
 
 
-@pytest.mark.parametrize("is_authenticated", [True])
-@pytest.mark.parametrize("has_next", [False])
-def test_next_logout(mocker, client, user, is_authenticated, has_next):
+@pytest.mark.parametrize("test_params", [(True, False)])
+def test_next_logout(mocker, client, user, test_params, settings):
     """Test logout redirect cache assignment"""
+    is_authenticated, has_next = test_params
     next_url = "https://ocw.mit.edu"
     mock_request = mocker.MagicMock(
         GET={"next": next_url if has_next else None},
@@ -211,3 +219,60 @@ def test_custom_login_view_first_time_login_sets_has_logged_in(mocker):
 
     # Verify redirect was called with the correct URL
     mock_redirect.assert_called_once_with("/dashboard")
+
+
+@pytest.mark.parametrize(
+    "test_case",
+    [
+        (
+            (False, False),
+            "/dashboard/organization/test-organization",
+        ),  # First-time login → org dashboard
+        (
+            (False, True),
+            "/dashboard/organization/test-organization",
+        ),  # First-time login → org dashboard
+        ((True, False), "/app"),  # Subsequent login → normal app (not onboarding!)
+        ((True, True), "/app"),  # Subsequent login → normal app
+    ],
+)
+def test_login_org_user_redirect(mocker, client, user, test_case, settings):
+    """Test organization user redirect behavior - org users skip onboarding regardless of onboarding status"""
+    # Unpack test case
+    profile_state, expected_url = test_case
+    has_logged_in, completed_onboarding = profile_state
+
+    # Set up user profile based on test scenario
+    user.profile.has_logged_in = has_logged_in
+    user.profile.completed_onboarding = completed_onboarding
+    user.profile.save()
+
+    header_str = b64encode(
+        json.dumps(
+            {
+                "preferred_username": user.username,
+                "email": user.email,
+                "sub": user.global_id,
+                "organization": {
+                    "Test Organization": {
+                        "role": "member",
+                        "id": "org-123",
+                    }
+                },
+            }
+        ).encode()
+    )
+    client.force_login(user)
+    response = client.get(
+        "/login/",
+        follow=False,
+        HTTP_X_USERINFO=header_str,
+    )
+    assert response.status_code == 302
+    # Handle environment differences - in some envs it returns full URL, in others just path
+    expected_full_url = urljoin(settings.APP_BASE_URL, expected_url)
+    assert response.url in [expected_url, expected_full_url]
+
+    # Verify that org users are never sent to onboarding
+    # (onboarding URL would contain settings.MITOL_NEW_USER_LOGIN_URL)
+    assert settings.MITOL_NEW_USER_LOGIN_URL not in response.url

env/backend.env

@@ -48,6 +48,7 @@ KEYCLOAK_CLIENT_ID=apisix
 KEYCLOAK_CLIENT_SECRET=HckCZXToXfaetbBx0Fo3xbjnC468oMi4 # pragma: allowlist-secret
 KEYCLOAK_DISCOVERY_URL=http://kc.ol.local:8066/realms/ol-local/.well-known/openid-configuration
 KEYCLOAK_REALM_NAME=ol-local
+# For some organization related functionality, add organization:* if you have orgs enabled
 KEYCLOAK_SCOPES="openid profile ol-profile"
 KEYCLOAK_SVC_KEYSTORE_PASSWORD=supertopsecret1234
 KEYCLOAK_SVC_HOSTNAME=kc.ol.local

env/backend.local.example.env

@@ -31,6 +31,7 @@ KEYCLOAK_CLIENT_ID=apisix
 KEYCLOAK_CLIENT_SECRET=HckCZXToXfaetbBx0Fo3xbjnC468oMi4 # pragma: allowlist-secret
 KEYCLOAK_DISCOVERY_URL=http://kc.ol.local:8066/realms/ol-local/.well-known/openid-configuration
 KEYCLOAK_REALM_NAME=ol-local
+# For some organization related functionality, add organization:* if you have orgs enabled
 KEYCLOAK_SCOPES="openid profile ol-profile"
 KEYCLOAK_SVC_KEYSTORE_PASSWORD=supertopsecret1234
 KEYCLOAK_SVC_HOSTNAME=kc.ol.local

main/settings.py

@@ -356,6 +356,7 @@
         "first_name": "given_name",
         "last_name": "family_name",
         "name": "name",
+        "organizations": "organization",
     },
     "profiles.Profile": {
         "name": "name",